Using token-based signing to install unsigned binaries

ABSTRACT

The present invention provides for token based signing of an unsigned binary which may be a stream of bits (e.g., 0&#39;s and 1&#39;s). The unsigned binary is signed using a secret key which resides in a token (e.g., a smart card), which makes the secret key available to the token holder. The unsigned binary is downloaded and verified for authenticity by the token coupled to a computing device. In one embodiment, the downloaded unsigned binary is encrypted. If the unsigned binary is authentic, it may be used to replace the prior firmware on that computing device.

BACKGROUND OF THE INVENTION

[0001] 1. Field of the Invention

[0002] The present invention relates to token based signing of unsignedbinaries.

[0003] Portions of the disclosure of this patent document containmaterial that is subject to copyright protection. The copyright ownerhas no objection to the facsimile reproduction by anyone of the patentdocument or the patent disclosure as it appears in the Patent andTrademark Office file or records, but otherwise reserves all copyrightrights whatsoever.

[0004] 2. Background Art

[0005] An operating system is computer software that controls the manydifferent operations of a computer and directs and coordinates itsprocessing of programs. The operating system is made up of a complex setof instructions that schedules the series of jobs (user applications) tobe performed by the computer and allocates them to the computer'svarious hardware systems, such as the processor, main memory, andperipheral systems.

[0006] In modern computing environments, the operating system for acomputing device (or other computer program) may be downloaded to thedevice across a computer network from another computer and placed in anarea of the computer that normally can not easily be overwritten, and istermed firmware. Downloading the operating system or other firmware isparticularly advantageous when the firmware is upgraded or altered insome manner and the user of the computer wishes to take advantage of thealterations or upgrades.

[0007] Problems occur, however, when firmware is downloaded. Inparticular, some files downloaded across computer networks arecompromised for various reasons. One example is the case of a “trojanhorse” computer program where a malicious user substitutes the correctfirmware with the trojan horse. The trojan horse is then downloaded inplace of the firmware and begins to perform malicious actions on thecomputing device which may destroy a user's important files and even mayruin the computer's hardware. Thus, security measures should be in placeto ensure that the downloaded firmware is actually the computer programthat the user intends to run on the computing device. Implementing thesesecurity measures, however, is difficult. In the past these difficultieshave stopped firmware developers from making enhancements to computerprograms, such as operating systems, and have inhibited the ability toupdate the computing devices with the enhancements.

[0008] Before describing the current security measures in place toprevent problems such as trojan horses, an example computing environmentwhere this problem has specific application is described below.

[0009] Multi-Tier Application Architecture

[0010] In the multi-tier application architecture, a client communicatesrequests to a server for data, software and services, for example, andthe server responds to the requests. The server's response may entailcommunication with a database management system for the storage andretrieval of data.

[0011] The multi-tier architecture includes at least a database tierthat includes a database server, an application tier that includes anapplication server and application logic (i.e., software applicationprograms, functions, etc.), and a client tier. The application serverresponds to application requests received from the client. Theapplication server forwards data requests to the database server.

[0012]FIG. 1 provides an overview of a multi-tier architecture. Clienttier 100 typically consists of a computer system that provides a graphicuser interface (GUI) generated by a client 110, such as a browser orother user interface application. Conventional browsers include InternetExplorer and Netscape Navigator, among others. Client 110 generates adisplay from for example, a specification of GUI elements (e.g., a filecontaining input, form, and text elements defined using the HypertextMarkup Language (HTML)) and/or from an applet (i.e., a program such as aprogram written using the Java™ programming language, or other platformindependent programming language, that runs when it is loaded by thebrowser).

[0013] Further application functionality is provided by applicationlogic managed by application server 120 in application tier 130. Theapportionment of application functionality between client tier 100 andapplication tier 130 is dependent upon whether a “thin client” or “thickclient” topology is desired. In a thin client topology, the client tier(i.e., the end user's computer) is used primarily to display output andobtain input, while the computing takes place in other tiers. A thickclient topology, on the other hand, uses a more conventional generalpurpose computer having processing, memory, and data storage abilities.Database tier 140 contains the data that is accessed by the applicationlogic in application tier 130. Database server 150 manages the data, itsstructure and the operations that can be performed on the data and/orits structure.

[0014] Application server 120 can include applications such as acorporation's scheduling, accounting, personnel and payrollapplications, for example. Application server 120 manages requests forthe applications that are stored therein. Application server 120 canalso manage the storage and dissemination of production versions ofapplication logic. Database server 150 manages the database(s) thatmanage data for applications. Database server 150 responds to requeststo access the scheduling, accounting, personnel and payrollapplications' data, for example.

[0015] Connection 160 is used to transmit data between client tier 100and application tier 130, and may also be used to transfer theapplication logic to client tier 100. The client tier can communicatewith the application tier via, for example, a Remote Method Invocator(RMI) application programming interface (API) available from SunMicrosystems™. The RMI API provides the ability to invoke methods, orsoftware modules, that reside on another computer system. Parameters arepackaged and unpackaged for transmittal to and from the client tier.Connection 170 between application server 120 and database server 150represents the transmission of requests for data and the responses tosuch requests from applications that reside in application server 120.

[0016] Elements of the client tier, application tier and database tier(e.g., client 110, application server 120 and database server 150) mayexecute within a single computer. However, in a typical system, elementsof the client tier, application tier and database tier may executewithin separate computers interconnected over a network such as a LAN(local area network) or WAN (wide area network).

[0017] Thus, with the distribution of functionality between three ormore tiers, the machine-centric view of computing diminishes as the needto perform the complete realm of functionality moves away from solelybeing in the client tier to the other tiers as well. Hence, the type ofcomputing arrangement that is needed on the client tier also changes,for instance the operating system to be used on a computer in the clienttier is often downloaded across the multi-tiered network.

[0018] Security Measures

[0019] When downloading an operating system or other firmware, forinstance when a developer has made enhancements to an existing operatingsystem, it is desirable to have security measures in place so that thecomputer system is not compromised for any reason, such as when amalicious user substitutes the correct operating system file with thetrojan horse. One method to provide added security is by using acryptographic system.

[0020] A cryptographic system is a system for sending a message from asender to a receiver over a medium so that the message is “secure”, thatis, so that only the intended receiver can recover the message. Acryptographic system converts a message, referred to as “plaintext” intoan encrypted format, known as “ciphertext.” The encryption isaccomplished by manipulating or transforming the message using a “cipherkey” or keys. The receiver “decrypts” the message, that is, converts itfrom ciphertext to plaintext, by reversing the manipulation ortransformation process using the cipher key or keys. So long as only thesender and receiver have knowledge of the cipher key, such an encryptedtransmission is secure.

[0021] A “classical” cryptosystem is one in which the encipheringinformation can be used to determine the deciphering information. Toprovide security, a classical cryptosystem requires that the encipheringkey be kept secret and provided to users of the system over securechannels. Secure channels, such as secret couriers, secure telephonetransmission lines, or the like, are often impractical and expensive.

[0022] A system that eliminates the difficulties of exchanging a secureenciphering key is known as “public key encryption.” By definition, apublic key cryptosystem has the property that someone who knows only howto encipher a message cannot use the enciphering key to find thedeciphering key without a prohibitively lengthy computation. Anenciphering function is chosen so that once an enciphering key is known,the enciphering function is relatively easy to compute. However, theinverse of the encrypting transformation function is difficult, orcomputationally infeasible, to compute. Such a function is referred toas a “one way function” or as a “trap door function.” In a public keycryptosystem, certain information relating to the keys is public. Thisinformation can be, and often is, published or transmitted in anon-secure manner. Also, certain information relating to the keys isprivate. This information may be distributed over a secure channel toprotect its privacy, (or may be created by a local user to ensureprivacy).

[0023] A block diagram of a typical public key cryptographic system isillustrated in FIG. 2. A sender represented by the blocks within dashedline (200) sends a plaintext message, Ptxt, to a receiver, representedby the blocks within dashed line (215). The plaintext message isencrypted into a ciphertext message, C, transmitted over sometransmission medium and decoded by the receiver (215) to recreate theplaintext message Ptxt.

[0024] The sender (200) includes a cryptographic device (201), a securekey generator (202) and a key source (203). The key source (203) isconnected to the secure key generator (202) through line (204). Thesecure key generator (202) is coupled to the cryptographic device (201)through line (205). The cryptographic device provides a ciphertextoutput, C, on line (206). The secure key generator (202) provides a keyoutput on line (207). This output is provided, along with the ciphertextmessage (206), to transmitter receiver (209). The transmitter receiver(209) may be, for example, a computer transmitting device such as amodem or it may be a device for transmitting radio frequencytransmission signals. The transmitter receiver (209) outputs the securekey and the ciphertext message on an insecure channel (210) to thereceiver's transmitter receiver (211).

[0025] The receiver (215) also includes a cryptographic device (216), asecure key generator (217) and a key source (218). The key source (218)is coupled to the secure key generator (217) on line (219). The securekey generator (217) is coupled to the cryptographic device (216) on line(220). The cryptographic device (216) is coupled to the transmitterreceiver (211) through line (221). The secure key generator (217) iscoupled to the transmitter receiver (211) on lines (222) and (223).

[0026] In operation, the sender (200) has a plaintext message, Ptxt, tosend to the receiver (215). Both the sender (200) and the receiver (215)have cryptographic devices (201) and (216), respectively, that use thesame encryption scheme. There are a number of suitable cryptosystemsthat can be implemented in the cryptographic devices. For example, theymay implement the Data Encryption Standard DES) or some other suitableencryption scheme.

[0027] Sender and receiver also have secure key generators (202) and(217), respectively. These secure key generators implement any one ofseveral well known public key exchange schemes. Known schemes includethe Diffie-Hellman scheme, the RSA scheme, the Massey-Omura scheme, andthe ElGamal scheme.

[0028] The sender (200) uses key source (203), which maybe a randomnumber generator, to generate a private key. The private key is providedto the secure key generator (202) and is used to generate an encryptionkey, e_(K). The encryption key, e_(K), is transmitted on lines (205) tothe cryptographic device and is used to encrypt the plaintext message,Ptxt, to generate a ciphertext message, C, provided on line (206) to thetransmitter receiver (209). The secure key generator (202) alsotransmits the information used to convert to the secure key from keysource (203) to the encryption key, e_(K). This information can betransmitted over an insecure channel, because it is impractical torecreate the encryption key from this information without knowing theprivate key.

[0029] The receiver (215) uses key source (218) to generate a privateand secure key (219). This private key (219) is used in the secure keygenerator (217) along with the key generating information provided bythe sender (200) to generate a deciphering key, D_(K). This decipheringkey, D_(K), is provided on line (220) to the cryptographic device (216)where it is used to decrypt the ciphertext message and reproduce theoriginal plaintext message.

[0030] Authentication

[0031] In addition to protecting the contents of a transmitted message,it is also desired to provide a way to determine the “authenticity” ofthe message. That is, is the message actually from the purported sender.A scheme for accomplishing this is to append a so-called “digitalsignature” to the message. One such scheme is described herein. In thisscheme the enciphering transformation f_(A) is used to send a message touser A and f_(B) is the enciphering transformation used to send amessage to user B. User A provides a “signature”, P, that may includesome specific information, such as the time the message was sent or anidentification number. User A transmits the signature as f_(B)f_(A) ⁻¹(P). When user B deciphers the message using f_(B) ⁻¹, the entiremessage is decoded into plaintext except the signature portion, whichremains f_(A) ⁻¹ (P). User B then applies user A's public key f_(A) toobtain P. Since P could only have been encrypted by user A (because onlyuser A knows f_(A) ⁻¹) user B can assume that the message was sent byuser A.

[0032] Another scheme of digital signature authentication is ageneralization of the ElGamal discrete logarithm scheme, using ellipticalgebra. Assume a public key ourPub generated with a function of aprivate key ourPri. The signature is generated by first choosing arandom integer, m, of approximately q bits. Next, a point, P=m°(X₁/1),is computed. A message digest function, M, is used to compute aninteger, u, that is a function of m, ourPri, and the digested version ofthe ciphertext message and the computed point, P. The computed pair (u,P) is transmitted as the signature.

[0033] At the receiving end, the value of the signature is used tocompute the point Q=u°(X₁/1). A point, R, is calculated using P, thedigested version of the ciphertext message and P, and myPub. If R and Qdo not compare exactly, the signature is not valid (not genuine). Thesecurity of this scheme relies on the computational infeasability ofbreaking the elliptic logarithm operation or the hash function.

[0034] Current Schemes

[0035] Using a cryptographic system such as one using public and privatekeys is one method that is currently used to attempt to ensure thesecurity of a piece of firmware, such as an operating system when it isdownloaded to a computer. Thus, one scheme downloads new firmware to adevice that is signed with a secret key. Once downloaded, the firmware'ssignature is inspected by the device to ensure that it is authentic. Ifapproved, the new firmware is made active on the new device, the newdevice re-boots, and the new firmware is used, for instance by thedevice using the new firmware image as its operating system This methodis disadvantageous because it does not give a third-party firmwaredeveloper the ability to sign a piece of developed firmware. This meansthat the third-party developer has no way to enhance firmware andimplement it on a machine.

[0036] One method that allows a third-party to develop and implementfirmware is by providing the third-party with the secret key so thatthey can sign the firmware themselves. Serious drawbacks exist, however,if the private key escapes from the third-party and enters the generalpopulation, which often happens. In addition, the end-user may bemalicious as well. If a malicious user receives the private key or itslips out into the general population, then whoever knows the key cancompromise any computing device using such a key, which isdisadvantageous.

SUMMARY OF THE INVENTION

[0037] The present invention provides for token based signing of anunsigned binary. An unsigned binary is a stream of bits (e.g., 0's and1's). An unsigned binary comes as the result, for instance, of thedevelopment and compilation of operating system software. The unsignedbinary is then signed by the developer of the software using a secretkey. The secret key resides in a smart card which makes the secret keyunavailable to anyone except the owner of the smart card.

[0038] Once plugged in, the developed software is downloaded andverified by the smart card to be authentic. In one embodiment, thedownloaded software is encrypted. If the software is authentic, itreplaces the prior firmware on that device. The technique of storing thesecret key in the smart card significantly reduces the trojan horseproblem because the key resides only in one card which makes itimpossible to circulate the secret key across a computer network, suchas the Internet.

[0039] In one embodiment a hash function is placed at the location wherethe firmware is written and developed, such as a server, and anotherhash function is placed on the smart card. Once the unsigned binary isgenerated, the server signs the unsigned binary with the hash. Then, thesmart card is plugged in to its respective computing device. Once thesmart card is activated, the computing device recognizes the smart cardand knows that firmware is about to be downloaded and that the computingdevice should use the secret key on the smart card to verify thesignature.

[0040] Next, the firmware is downloaded along with the hash. In oneembodiment, the smart card, when inserted, may initiate the download ofthe unsigned binary and the hash to the user's computing device. Inanother embodiment, the server downloads the unsigned binary and thehash and the smart card insertion begins the verification process. Ineither case, the downloaded, unsigned binary and the hash are placed ina temporary buffer area of the computing device's memory.

[0041] Next, the computing device accesses its buffer to obtain theunsigned binary and uses the hash on the smart card to sign the unsignedbinary. Then, the downloaded hash is sent to the smart card and thesmart card verifies that the two hashes are the same. If they are, thedownloaded firmware is authentic and it can be used to replace theexisting firmware. If the two hashes differ, then the computing devicecannot trust the authenticity of the downloaded firmware (for instance,it may be a trojan horse) and it does not replace the existing firmware.

BRIEF DESCRIPTION OF THE DRAWINGS

[0042] These and other features, aspects and advantages of the presentinvention will become better understood with regard to the followingdescription, appended claims and accompanying drawings where:

[0043]FIG. 1 provides an overview of a multi-tier computer architecture.

[0044]FIG. 2 is a block diagram of a typical public key cryptographicsystem.

[0045]FIG. 3 is a flowchart of token based signing of an unsigned binaryaccording to an embodiment of the present invention.

[0046]FIG. 4 is a flowchart of token based signing of an unsigned binaryaccording to another embodiment of the present invention.

[0047]FIG. 5 is a flowchart of token based signing of an unsigned binaryaccording to another embodiment of the present invention.

[0048]FIG. 6 is an embodiment of a smart card architecture that can beused with the present invention.

[0049]FIG. 7 is a flowchart of token based signing of an unsigned binaryaccording to another embodiment of the present invention.

[0050]FIG. 8 shows an example of a thin client topology called a virtualdesktop system architecture.

[0051]FIG. 9 displays the partitioning of the functionality of thevirtual desktop system architecture.

[0052]FIG. 10 is a block diagram of an example embodiment of a humaninterface device.

[0053]FIG. 11 is a block diagram of a single chip implementation of ahuman interface device.

[0054]FIG. 12 is an embodiment of a computer execution environmentsuitable for the present invention.

DETAILED DESCRIPTION OF THE INVENTION

[0055] The invention relates to token based signing of unsignedbinaries. In the following description, numerous specific details areset forth to provide a more thorough description of embodiments of theinvention. It will be apparent, however, to one skilled in the art, thatthe invention maybe practiced without these specific details. In otherinstances, well known features have not been described in detail so asnot to obscure the invention.

[0056] Token Based Signing

[0057] The present invention provides for token based signing of anunsigned binary. An unsigned binary is a stream of bits (e.g., 0's and1's). An unsigned binary comes as the result, for instance, of thedevelopment and compilation of operating system software. Typically adeveloper will write, modify, and compile the software. The finishedsoftware is often compiled by a server computer which is where theunsigned binary will initially reside.

[0058] A mechanism is provided to ensure that the unsigned binary isauthentic and may replace a piece of firmware on an existing device. Oneembodiment of the present invention is shown in FIG. 3. At step 300, anunsigned binary is signed on a server. Then, at step 310, a smart cardis inserted into a computing device (e.g., by a developer). Next, theunsigned binary and the signature are downloaded from the server to thecomputing device at step 320.

[0059] After the download, the smart card signs the downloaded, unsignedbinary at step 330 using an identical signature methodology that theserver used, for instance identical hash functions, and compares thesignatures from itself and the server at step 340. Next, it isdetermined whether the signatures match at step 350. If they do not, thefirmware is rejected at step 360. Otherwise, the firmware is judged tobe authentic and it replaces the existing firmware at step 370.

[0060] In the manner shown in FIG. 3, the secret key that signs theunsigned binary resides in a smart card. This makes the secret keyunavailable to anyone except the holder of the smart card. The techniqueof storing the secret key in the smart card significantly reduces thetrojan horse problem because the key resides only in one card whichmakes it impossible to circulate the secret key across a computernetwork, such as the Internet.

[0061] Encryption

[0062] In one embodiment of the present invention, the unsigned binaryis encrypted as well. An embodiment of the present invention having anencryption feature is shown in FIG. 4. At step 400, an unsigned binaryis signed on a server. Then, at step 410, a developer inserts a smartcard into a computing device. Next, the unsigned binary is encrypted atstep 415. Then, the encrypted binary and the signature are downloadedfrom the server to the computing device at step 420.

[0063] After the download, the receiving device decrypts the binary atstep 425. Then, the smart card signs the downloaded, unsigned binary atstep 430 using an identical signature methodology that the server usedand compares the signatures from itself and the server at step 440.Next, it is determined whether the signatures match at step 450. If theydo not, the firmware is rejected at step 460. Otherwise, the firmware isjudged to be authentic and it replaces the existing firmware at step470.

[0064] Temporary Buffer

[0065] In one embodiment of the present invention, the unsigned binaryis stored in a temporary buffer of the computing device when it isdownloaded. An embodiment of the present invention using a temporarybuffer is shown in FIG. 5. At step 500, an unsigned binary is signed ona server. Then, at step 510, a developer inserts a smart card into acomputing device. Next, the unsigned binary and the signature aredownloaded from the server to the computing device at step 520. Upon thedownload, the binary and the signature are stored in a temporary bufferof the computing device's memory at step 525.

[0066] After storing the data in the buffer, the smart card obtains theunsigned binary from the temporary buffer at step 530 and signs it atstep 535 using an identical signature methodology that the server used.Next, the smart card compares the signatures from itself and the serverat step 540. Next, it is determined whether the signatures match at step550. If they do not, the firmware is rejected at step 560. Otherwise,the firmware is judged to be authentic and it replaces the existingfirmware at step 570.

[0067] Smart Card Architecture

[0068]FIG. 6 shows the architecture of one embodiment of a smart cardthat may be used with the present invention. The smart card 600 has aprocessor 605. This processor may be of limited capacity, such as an8-bit processor, since the smart card's computational power is limited.The smart card has a memory 610 coupled to the processor which isdivided up into non-volatile memory 615 and volatile memory 620. Thevolatile memory is further divided into EEPROM 625 and RAM 630. TheEEPROM contains the operating program for the smart card 635 and othercode 640, such as the code necessary to encrypt data and so on.

[0069] In one embodiment, the smart card has the ability to havesoftware downloaded into its non-volatile memory where it can executethe program by moving it to RAM where the smart card will act accordingto the instructions of the computer software. The smart card further hasa communications channel 635 between the processor and an externalsource 650 such as a host computer.

[0070] The processor in the smart card is configured to retaininformation within the smart card that is secret. For instance, a secretkey in the smart card will never be divulged across the communicationschannel 635. The smart card will, however, allow information to come inacross the communication channel and use the data. For instance, thesmart card is configured to receive data from an external source acrossthe communications channel, to use the secret key in the smart card, forexample to sign and encrypt the incoming data, and to send the resultsout along the communications channel 635 to the external source 640.

[0071] In one embodiment of the present invention, the smart cardarchitecture is utilized to perform token based signing of an unsignedbinary as shown in FIG. 7. At step 700 an unsigned binary is signed byan external source. Then, at step 710, a developer inserts a smart cardinto a computing device. Next, the unsigned binary and the signature aredownloaded from the external source to the smart card via acommunications channel in the smart card at step 720.

[0072] After the download, the smart card signs the downloaded, unsignedbinary in its volatile memory at step 730 using an identical signaturemethodology that the external source used and compares the signaturesfrom itself and the external source at step 740. Next, it is determinedwhether the signatures match at step 750. If they do not, the firmwareis rejected at step 760. Otherwise, the firmware is judged to beauthentic and a message to that effect is sent along the communicationschannel to the computing device by the smart card at step 770. Once themessage is received, the computing device replaces the existing firmwareat step 780.

[0073] Virtual Desktop System Architecture

[0074]FIG. 8 shows an example of a thin client topology called a virtualdesktop system architecture. The virtual desktop system architectureprovides a re-partitioning of functionality between a central serverinstallation 800 and end user hardware 810. Data and computationalfunctionality are provided by data sources via a centralized processingarrangement. At the user end, all functionality is eliminated exceptthat which generates output to the user (e.g., display and speakers),takes input from the user (e.g., mouse and keyboard) or otherperipherals that the user may interact with (e.g., scanners, cameras,removable storage, etc.). All computing is done by the central datasource and the computing is done independently of the destination of thedata being generated. The output of the source is provided to aterminal, referred to here as a “Human Interface Device” (HID). The HIDis capable of receiving the data and displaying the data.

[0075] The functionality of the virtual desktop system is partitionedbetween a display and input device such as a remote system andassociated display device, and data sources or services such as a hostsystem interconnected to the remote system via a communication link. Thedisplay and input device is a human interface device (HID). The systemis partitioned such that state and computation functions have beenremoved from the HID and reside on data sources or services. One or moreservices communicate with one or more HIDs through a communication linksuch as network. An example of such a system is illustrated in FIG. 9,wherein the system comprises computational service providers 900communicating data through communication link 901 to HIDs 902.

[0076] The computational power and state maintenance are provided by theservice providers or services. The services are not tied to a specificcomputer, but may be distributed over one or more traditional desktopsystems such as described in connection with FIG. 9, or with traditionalservers. One computer may have one or more services, or a service may beimplemented by one or more computers. The service provides computation,state and data to HIDs and the service is under the control of a commonauthority or manager. In FIG. 9, the services are provided by computers910, 911, and 912. In addition to the services, a central data sourcecan provide data to the HIDs from an external source such as for examplethe Internet or world wide web. The data source can also be broadcastentities such as those that broadcast data (e.g., television and radiosignals).

[0077] Examples of services include X11/Unix services, archived or liveaudio or video services, Windows NT service, Java™ program executionservice and others. A service herein is a process that provides outputdata and response to user requests and input. The service handlescommunication with an HID currently used by a user to access theservice. This includes taking the output from the computational serviceand converting it to a standard protocol for the HID. The data protocolconversion is handled by a middleware layer, such as the X11 server, theMicrosoft Windows interface, video format transcoder, the OpenGL®interface, or a variant of the java.awt.graphics class within theservice producer machine. The service machine handles the translation toand from a virtual desktop architecture wire protocol described furtherbelow.

[0078] Each service is provided by a computing device optimized for itsperformance. For example, an Enterprise class machine could be used toprovide X11/Unix service, a Sun MediaCenter™ could be used to providevideo service, a Hydra based NT machine could provide applet programexecution services.

[0079] The service providing computer system can connect directly to theHIDs through the interconnect fabric. It is also possible for theservice producer to be a proxy for another device providing thecomputational service, such as a database computer in a three-tierarchitecture, where the proxy computer might only generate queries andexecute user interface code.

[0080] The interconnect fabric can comprise any of multiple suitablecommunication paths for carrying data between the services and the HIDs.In one embodiment the interconnect fabric is a local area networkimplemented as an Ethernet network. Any other local network may also beutilized. The invention also contemplates the use of wide area networks,the Internet, the world wide web, and others. The interconnect fabricmay be implemented with a physical medium such as a wire or fiber opticcable, or it may be implemented in a wireless environment.

[0081] The interconnect fabric provides actively managed, low-latency,high-bandwidth communication between the HID and the services beingaccessed. One embodiment contemplates a single-level, switched network,with cooperative (as opposed to completing) network traffic. Dedicatedor shared communications interconnects maybe used in the presentinvention.

[0082] The HID is the means by which users access the computationalservices provided by the services. FIG. 9 illustrates HIDs 921, 922 and923. Each HID comprises a display 926, a keyboard 924, mouse 951, andaudio speakers 950. The HID includes the electronics need to interfacethese devices to the interconnection fabric and to transmit to andreceive data from the services.

[0083] A block diagram of an example embodiment of the HID isillustrated in FIG. 10. The components of the HID are coupled internallyto a PCI bus 1012. Network control block 1002 communicates to theinterconnect fabric, such as an Ethernet, through line 1014. An audiocodec 1003 receives audio data on interface 1016 and is coupled tonetwork control block 1002. USB data communication is provided on lines1013 to a USB controller 1001. The HID further comprises a embeddedprocessor 1004 such as a Sparc2ep with coupled flash memory 1005 andDRAM 1006. The USB controller 1001, the network control block 1002 andthe embedded processor 1004 are all coupled to the PCI bus 1012. A videocontroller 1009, also coupled to the PCI bus 1012, can include an ATIRagePro+ frame buffer controller which provides SVGA output on the line1015. NTSC data is provided in and out of the video controller throughvideo decoder 1010 and encoder 1011 respectively. A smartcard interface1008 may also be coupled to the video controller 1009.

[0084] Alternatively, the HID can comprise a single chip implementationas illustrated in FIG. 11. The single chip includes the necessaryprocessing capability implemented via CPU 1101 and graphics renderer1105. Chip memory 1107 is provided, along with videocontroller/interface 1106. A internal bus (USB) controller 1102 isprovided to permit communication to a mouse, keyboard and other localdevices attached to the HID. A sound controller 1103 and interconnectinterface 1104 are also provided. The video interface shares memory 1107with the CPU 1101 and graphics renderer 1105. The software used in thisembodiment may reside locally in on-volatile memory or it can be loadedthrough the interconnection interface when the device is powered.

[0085] The operation of the virtual desktop system architecture isdescribed in co-pending U.S. patent application Ser. No. 09/063,335,filed Apr. 20, 1998, entitled “Method and Apparatus for Providing AVirtual Desktop System Architecture” and assigned to the presentassignee, and incorporated herein by reference.

[0086] Embodiment of Computer Execution Environment (Hardware)

[0087] An embodiment of the invention can be implemented as computersoftware in the form of computer readable program code executed in ageneral purpose computing environment such as environment 1200illustrated in FIG. 12, or in the form of bytecode class filesexecutable within a Java™ run time environment running in such anenvironment, or in the form of bytecodes running on a processor (ordevices enabled to process bytecodes) existing in a distributedenvironment (e.g., one or more processors on a network). A keyboard 1210and mouse 1211 are coupled to a system bus 1218. The keyboard and mouseare for introducing user input to the computer system and communicatingthat user input to central processing unit (CPU) 1213. Other suitableinput devices maybe used in addition to, or in place of, the mouse 1211and keyboard 1210. I/O (input/output) unit 1219 coupled tobi-directional system bus 1218 represents such I/O elements as aprinter, A/V (audio/video) I/O, etc.

[0088] Computer 1201 may include a communication interface 1220 coupledto bus 1218. Communication interface 1220 provides a two-way datacommunication coupling via a network link 1221 to a local network 1222.For example, if communication interface 1220 is an integrated servicesdigital network (ISDN) card or a modem, communication interface 1220provides a data communication connection to the corresponding type oftelephone line, which comprises part of network link 1221. Ifcommunication interface 1220 is a local area network (LAN) card,communication interface 1220 provides a data communication connectionvia network link 1221 to a compatible LAN. Wireless links are alsopossible. In any such implementation, communication interface 1220 sendsand receives electrical, electromagnetic or optical signals which carrydigital data streams representing various types of information.

[0089] Network link 1221 typically provides data communication throughone or more networks to other data devices. For example, network link1221 may provide a connection through local network 1222 to host 1223 orto data equipment operated by ISP 1224. ISP 1224 in turn provides datacommunication services through the world wide packet data communicationnetwork now commonly referred to as the “Internet” 1225. Local network1222 and Internet 1225 may use electrical, electromagnetic or opticalsignals which carry digital data streams. The signals through thevarious networks and the signals on network link 1221 and throughcommunication interface 1220, which carry the digital data to and fromcomputer 1200, are exemplary forms of carrier waves transporting theinformation.

[0090] Processor 1213 may reside wholly on client computer 1201 orwholly on server 1226 or processor 1213 may have its computational powerdistributed between computer 1201 and server 1226. Server 1226symbolically is represented in FIG. 12 as one unit, but server 1226 canalso be distributed between multiple “tiers”. In one embodiment, server1226 comprises a middle and back tier where application logic executesin the middle tier and persistent data is obtained in the back tier. Inthe case where processor 1213 resides wholly on server 1226, the resultsof the computations performed by processor 1213 are transmitted tocomputer 1201 via Internet 1225, Internet Service Provider (ISP) 1224,local network 1222 and communication interface 1220. In this way,computer 1201 is able to display the results of the computation to auser in the form of output.

[0091] Computer 1201 includes a video memory 1214, main memory 1215 andmass storage 1212, all coupled to bi-directional system bus 1218 alongwith keyboard 1210, mouse 1211 and processor 1213. As with processor1213, in various computing environments, main memory 1215 and massstorage 1212, can reside wholly on server 1226 or computer 1201, or theymay be distributed between the two. Examples of systems where processor1213, main memory 1215, and mass storage 1212 are distributed betweencomputer 1201 and server 1226 include the thin-client computingarchitecture developed by Sun Microsystems, Inc., the palm pilotcomputing device and other personal digital assistants, Internet readycellular phones and other Internet computing devices, and in platformindependent computing environments, such as those that utilize the Javatechnologies also developed by Sun Microsystems, Inc.

[0092] The mass storage 1212 may include both fixed and removable media,such as magnetic, optical or magnetic optical storage systems or anyother available mass storage technology. Bus 1218 may contain, forexample, thirty-two address lines for addressing video memory 1214 ormain memory 1215. The system bus 1218 may also include, for example, a32-bit data bus for transferring data between and among the components,such as processor 1213, main memory 1215, video memory 1214 and massstorage 1212. Alternatively, multiplex data/address lines may be usedinstead of separate data and address lines.

[0093] In one embodiment of the invention, the processor 1213 is amicroprocessor manufactured by Motorola, such as the 680X0 processor ora microprocessor manufactured by Intel, such as the 80X86, or Pentiumprocessor, or a SPARC microprocessor from Sun Microsystems, Inc.However, any other suitable microprocessor or microcomputer may beutilized. Main memory 1215 may be comprised of dynamic random accessmemory (DRAM). Video memory 1214 maybe a dual-ported video random accessmemory. One port of the video memory 1214 may be coupled to videoamplifier 1216. The video amplifier 1216 may be used to drive adisplay/output device 1217, such as a cathode ray tube (CRT) rastermonitor. Video amplifier 1216 is well known in the art and maybeimplemented by any suitable apparatus. This circuitry converts pixeldata stored in video memory 1214 to a raster signal suitable for use bydisplay/output device 1217. Display/output device 1217 maybe any type ofmonitor suitable for displaying graphic images.

[0094] Computer 1201 can send messages and receive data, includingprogram code, through the network(s), network link 1221, andcommunication interface 1220. In the Internet example, remote servercomputer 1226 might transmit a requested code for an application programthrough Internet 1225, ISP 1224, local network 1222 and communicationinterface 1220. The received code maybe executed by processor 1213 as itis received, and/or stored in mass storage 1212, or other non-volatilestorage for later execution. In this manner, computer 1200 may obtainapplication code in the form of a carrier wave. Alternatively, remoteserver computer 1226 may execute applications using processor 1213, andutilize mass storage 1212, and/or video memory 1215. The results of theexecution at server 1226 are then transmitted through Internet 1225, ISP1224, local network 1222 and communication interface 1220. In thisexample, computer 1201 performs only input and output functions.

[0095] Application code may be embodied in any form of computer programproduct. A computer program product comprises a medium configured tostore or transport computer readable code, or in which computer readablecode may be embedded. Some examples of computer program products areCD-ROM disks, ROM cards, floppy disks, magnetic tapes, computer harddrives, servers on a network, and carrier waves.

[0096] The computer systems described above are for example only. Anembodiment of the invention may be implemented in any type of computersystem or programming or processing environment.

[0097] Thus, token based signing of unsigned binaries is described inconjunction with one or more specific embodiments. The invention isdefined by the claims and their full scope of equivalents.

1. A method for using a token to sign an unsigned binary comprising:signing an unsigned binary on a first computing device to obtain a firstsignature; downloading said first signature and said unsigned binary toa second computing device; using a token coupled to said secondcomputing device to sign said unsigned binary to obtain a secondsignature; and comparing said first and second signatures.
 2. The methodof claim 1 further comprising: using said unsigned binary on said secondcomputing device, if said first and second signatures match.
 3. Themethod of claim 1 further comprising: rejecting said unsigned binary onsaid second computing device, if said first and second signatures do notmatch.
 4. The method of claim 1 wherein said token is a smart card. 5.The method of claim 1 wherein said first computing device is a server.6. The method of claim 1 wherein said steps of signing and using useidentical hashes.
 7. The method of claim 1 further comprising:encrypting said unsigned binary and said first signature.
 8. The methodof claim 7 further comprising: de-crypting said encrypted unsignedbinary and first signature.
 9. A computer program product comprising: acomputer usable medium having computer readable program code embodiedtherein configured to use a token to sign an unsigned binary, saidcomputer program product comprising: computer readable code configuredto cause a computer to sign an unsigned binary on a first computingdevice to obtain a first signature; computer readable code configured tocause a computer to download said first signature and said unsignedbinary to a second computing device; computer readable code configuredto cause a computer to use a token coupled to said second computingdevice to sign said unsigned binary to obtain a second signature; andcomputer readable code configured to cause a computer to compare saidfirst and second signatures.
 10. The computer program product of claim 9further comprising: computer readable code configured to cause acomputer to use said unsigned binary on said second computing device, ifsaid first and second signatures match.
 11. The computer program productof claim 9 further comprising: computer readable code configured tocause a computer to reject said unsigned binary on said second computingdevice, if said first and second signatures do not match.
 12. Thecomputer program product of claim 9 wherein said token is a smart card.13. The computer program product of claim 9 wherein said first computingdevice is a server.
 14. The computer program product of claim 9 whereinsaid computer readable code configured to cause a computer to use andsaid computer readable code configured to cause a computer to sign useidentical hashes.
 15. The computer program product of claim 9 furthercomprising: computer readable code configured to cause a computer toencrypt said unsigned binary and said first signature.
 16. The computerprogram product of claim 15 further comprising: computer readable codeconfigured to cause a computer to de-crypt said unsigned binary and saidfirst signature.